A cyber attack drill aimed at helping companies understand risks during a cyber attack and evaluate their incident response strategies is set to happen in the second half of October. Companies can use this drill to analyse and update their cyber attack response plan. The drill is being conducted free of charge and Banks and financial institutions that provide payment services and are exposed to cyber attacks can participate.
The attack scenarios will include account takeover attempts that may be attempted when a DDoS attack is underway. There will be no real vulnerability tests of any of the systems. The exercise is purely a simulation. The drill will be conducted over 2 consecutive days. Each day, a set of scenarios will be posted and the organisation’s responses to those scenarios will be collected at a specified time of the day.
This drill is being sponsored by SWACHA (a regional payments association), NACHA (The Electronics Payments Association), FS-ISAC (The Financial Services Information Sharing & Analysis centre) and various state banking associations.
The information shared during the drill is stated to be kept confidential. Any statistics published will be anonymous and will not link a weakness to an institution.
A drill of a similar nature is long overdue for Indian banks and financial institutions. Banks can better understand their incident response capabilities and can plan for implementation of best practices.
The FAQ for the drill – CAPP FAQ
When will this take place?
Choose from one of two weeks:
October 16–17, 2013 – Registration Deadline: 10/9/13
October 23–24, 2013 – Registration Deadline: 10/16/13
Who should participate?
Financial institutions that provide payment services and are exposed to cyber attacks.
How much will this cost?
Participation is free.
How do I register?
You may register by using This Link.
How much time will this take to complete?
The exercise will be conducted over two consecutive days and the concluding survey will require less than one hour each day to complete
You will receive each day’s scenario in the morning and we ask that you complete the survey portion by 12:00 midnight EST
Organizations may wish to use this as an opportunity to conduct a drill within their own company – time requirements will vary
What does our financial institution get out of participating?
Your institution’s incident response team will be able to evaluate your readiness if faced with a cyber attack. All participants will receive a summary of the exercise results.
What is the Payments Risk Council?
The Payment Risk Council’s goal is to share payment risk information for ACH, checks and wire payments as well as best practices to mitigate payment risk. PRC members are financial institution risk professionals, NACHA risk staff and ACH regional payment association managers.
Will this be an actual vulnerability test of my system?
No, this exercise is only a simulation. Each day of the exercise you will receive an email with that day’s scenario, a link to a broadcast of information about the scenarios and a series of questions for your organization to answer. When you are ready to answer the questions, you can click on the link to the survey tool to answer the questions for that day.
Will my organization’s information be published?
No, all participants and their input will be anonymous.
If my organization is not a member of FS-ISAC, can we participate?
Yes, this exercise is for the benefit of all organizations involved with payments.
Will the exercise require any special software?
No, you will only need an internet connection and email. You will be provided a link to an online survey tool called Survey Monkey where you will enter your responses.
What type of job functions should participate in the exercise?
IT Risk, IT Operations, Line of Business Managers, Call Center Management, Online Banking Managers, Treasury Managers, Legal and Compliance, Corporate Communications and any other function in the financial institution that would respond to a cyber attack against the institution.
What will my organization have access to when the exercise is completed?
You will have peer data to compare through an interactive after action report. Again, all company information will be kept confidential.
How can I use the results to benchmark my own organization’s performance?
Data will be available to you to sort by industry type, geographical location or size.
What is FS-ISAC?
The Financial Services Information Sharing and Analysis Center was launched in 1999. The FS‐ISAC was established by the financial services sector in response to Presidential Directive 63 from 1998. That directive – later updated by Homeland Security Presidential Directive 7 in 2003 – mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure